In all configurations you need some kind of http_access rules telling what access rules you want to apply. If your http_access rules never makes use of authentication (via a proxy_auth acl type or an external acl type with %LOGIN in the format specification) then authentication will not be required..
As for the wb_group question: Make sure that you copy the correct headers from Samba to each of the winbind helpers, as the winbind headers shipped with Squid only works with Samba-2.2.4 and 2.2.5... This applies to all three native winbind helpers shipped with Squid helpers/basic_auth/wb_auth/ helpers/ntlm_auth/wbntlm_auth/ helpers/external_acl/wb_group/ Regards Henrik Simon Bryan wrote: > > Hi all, > > I am using Squid2.5STABLE1 on RH7.2, have successfully implemented ntlm > authentication (after much grief related to getting Samba to compile > properly). I was following another thread in this list about ntlm and not > needing a proxy_auth line when using an external authenticator. Which turned > out to be true, however it seems to also then allow non-authenticated use of > the proxy! I see now that there are large numbers of lines in my logs where > the 'user' is the machines IP address and the download is permitted. > Previously they would be denied. Is this correct behaviour? I find I need: > > acl password proxy_auth REQUIRED > http_access deny all !password > > for access to non-authenticated users to be denied. Or am I doing something > dumb(again!)? > > Also should I be able to use: > acl staff external wb_group Teachers > > in http_access rule like: > > acl webmail dstdomain "/etc/dansguardian/blacklists/mail/domains" > http_access allow webmail staff > http_access deny webmail > > cause it doesn't seem to work for me, the docs seem to indicate that it is > possible. 'Teachers' is a group on the NT Server. > > **************************************************************************** > ******************************************** > I believe the relevant lines of my conf file are below: > > auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth > auth_param ntlm children 5 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > > auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11 > auth_param basic children 20 > auth_param basic realm Poxy server at OLMC > auth_param basic credentialsttl 1 hours > > external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group > acl winauth external wb_group wwwusers > acl staff external wb_group Teachers > authenticate_ttl 1 hour > authenticate_ip_ttl 300 seconds > > # TIMEOUTS > # ACCESS CONTROLS > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl cachemanager src 10.192.0.21 > acl SSL_ports port 443 563 4545 > acl Safe_ports port 21 70 80 81 82 88 210 563 1010 1025-65535 1082 4545 > acl CONNECT method CONNECT > acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCL UNLOCK > acl password proxy_auth REQUIRED > > http_access deny all !password > > _________________________________________ > Simon Bryan > IT Manager > OLMC Parramata > ICQ#: 137562751 > _________________________________________
